b'       FEDERAL ELECTION COMMISSION \n\n\n        OFFICE OF INSPECTOR GENERAL \n\n\n\n\n\n                  FINAL REPORT \n\n\n2007 Performance Audit of Privacy and Data Protection \n\n\n\n\n\n                   December 2007 \n\n\n             ASSIGNMENT No. OIG-07-02 \n\n\x0c                      FEDERAL ELECTION COMMISSION\n                      WASHINGTON, D.C. 20463\n                      Office of Inspector General\n\n\n\nMEMORANDUM\n\n\nTO:               The Commission\n\nFROM:             Inspector General\n\nSUBJECT:          2007 Performance Audit of Privacy and Data Protection\n\nDATE:             December 7, 2007\n\nThe Office of Inspector General (OIG) of the Federal Election Commission (FEC) contracted\nwith Cotton & Company, LLP to conduct a performance audit of privacy and data protection\npolicies and procedures and, specifically, to determine whether the FEC is complying with\nSection 522 of the Consolidated Appropriations Act, 2005 (42 U.S.C.A. \xc2\xa7 2000ee-2). Section\n522 requires an independent third-party review of the agency\xe2\x80\x99s use of personally identifiable\ninformation (PII)1 and of its privacy and data protection policies and procedures at least every\ntwo years; this audit satisfies the required third-party review.\n\nAudit Findings and Recommendations\nThe report contains recommendations to address weaknesses found by the auditors. The auditors\nreported seven separate findings and provided thirteen recommendations for improving privacy\npractices at the FEC. A table summarizing the findings and recommendations is included on page\ntwo of the report on the 2007 Performance Audit of Privacy and Data Protection prepared by\nCotton & Company. Management was provided a draft copy of the audit report for comment and\ngenerally concurred with the findings and recommendations. Management agreed with five\nfindings but did not agree with the following two findings and the corresponding\nrecommendations:\n\n      \xc2\x83\t Finding 4 - Privacy Roles and Responsibilities Are Not Adequately Documented (pages\n         15 through 17 of the audit report)\n\n      \xc2\x83\t Finding 6 - Privacy Impact Assessments Have Not Been Conducted (pages 19 \xe2\x80\x93 20)\n\nManagement prepared a narrative response to all findings and recommendations presented in the\nreport; the management response is included in Attachment 1 of the report, beginning on page 22.\nBased on management\xe2\x80\x99s response, Cotton & Company prepared additional responses for the two\nfindings where management agreement was not reached; refer to pages 17 and 20 of the report.\n\nThe OIG agrees with all findings and recommendations presented by the auditors and the OIG\nbelieves the FEC\xe2\x80\x99s implementation of the independent auditor\xe2\x80\x99s recommendations will enable the\nFEC to reach an appropriate level of compliance with respect to privacy practices.\n\n1\n See Attachment III of the audit report for a definition of personally identifiable information (PII) and\nother terminology contained in the audit report.\n\x0cAudit Follow-up\nIn accordance with Office of Management and Budget (OMB) Circular No. A-50, Audit Follow-\nup, revised, the FEC should develop a corrective action plan to set forth the specific action\nplanned to implement the recommendations and the schedule for implementation. In addition, the\nOIG\xe2\x80\x99s Internal Audit Process specifies the corrective action plan, detailing planned\nimplementation activities and dates, is due to the OIG within 30 days of receipt of this report.\nLastly, FEC Directive 50, Audit Follow-up, states the Staff Director will recommend, and the\nCommission will approve, the audit follow-up official. Due to the Commission-wide\nimplications of the audit recommendations, and the fact that management did not concur with all\naudit recommendations presented by Cotton & Company, the OIG recommends the Staff Director\nact as the audit follow-up official (AFO) for the audit.\n\nAs part of the OIG\xe2\x80\x99s audit contract with Cotton & Company, the agreement provides for a post-\naudit presentation with FEC officials to further expand on the findings and recommendations\ncontained in the report. The presentation should be scheduled with the OIG and delivered prior to\nFebruary 28, 2008. The AFO and/or Commissioners may wish to exercise this option in order to\ngain a further understanding of the findings and recommendations, in particular where\nmanagement agreement was not reached. The post-audit meeting could be an opportunity to\nfurther the FEC\xe2\x80\x99s understanding of the audit findings, to include federal government privacy\nrequirements, potential control frameworks, and tangible methods of improving privacy practices\nthroughout the agency.\n\nOIG Evaluation of Cotton & Company, LLP Audit Performance\nIn connection with the OIG\xe2\x80\x99s contract with Cotton & Company, we reviewed Cotton &\nCompany\xe2\x80\x99s report and related documentation and inquired of its representatives. Cotton &\nCompany is responsible for the attached auditor\'s report and the conclusions expressed in the\nreport. The OIG\xe2\x80\x99s monitoring and review of Cotton & Company\xe2\x80\x99s work disclosed no instances\nwhere Cotton & Company did not comply, in all material respects, with generally accepted\ngovernment auditing standards (GAGAS).\n\nWe appreciate the courtesies and cooperation extended to Cotton & Company and the OIG staff\nduring the audit. If you should have any questions concerning the audit report, please contact my\noffice on (202) 694-1015.\n\n\n\n\n                                                        Lynne A. McFarland\n                                                        Inspector General\n\nAttachments\n\nCc:     \tStaff Director\n        General Counsel\n        Associate General Counsel for Law and Advice\n        Chief Information Officer\n        Director of Human Resources\n\n\n\n\n                                                2\n\n\x0c                                          2007 \n\n                                 PERFORMANCE AUDIT OF \n\n                              PRIVACY AND DATA PROTECTION\n\n\n                              FEDERAL ELECTION COMMISSION\n\n\n                              AUDIT REPORT NUMBER OIG-07-02\n\n\n\n\nCotton & Company LLP\nAuditors \xc2\xb7 Advisors\n635 Slaters Lane, 4th Floor\nAlexandria, Virginia 22314\n703.836.6701\nwww.cottoncpa.com\n\x0cDecember 7, 2007\n\n\nMs. Lynne A. McFarland\nInspector General\nFederal Election Commission\n999 E Street, NW\nWashington, DC 20463\n\nSubject:        Report on the 2007 Performance Audit of the Federal Election Commission\xe2\x80\x99s\n                Compliance with Section 522 of the Consolidated Appropriations Act, 2005 (42 U.S.C.A.\n                \xc2\xa7 2000ee-2)\n\nDear Ms. McFarland:\n\nIn accordance with terms of the subject task order, Cotton & Company LLP conducted a performance\naudit of privacy and data protection policies and procedures used by the Federal Election Commission\n(FEC). The audit included assessing compliance with applicable federal security and privacy laws and\nregulations as well as a review of the FEC\xe2\x80\x99s policies and procedures related to identifying and securing\nprivacy-related data.\n\nWe interviewed key personnel involved in identifying and protecting personally identifiable information\nand reviewed documentation supporting the FEC\xe2\x80\x99s efforts to comply with federal privacy and security\nlaws and regulations. We identified specific control weaknesses and deficiencies and developed\nrecommendations designed to improve FEC compliance with federal privacy and security laws and\nregulations.\n\nWe conducted the performance audit in accordance with Government Auditing Standards. We were not\nengaged to and did not perform a financial statement audit, the purpose of which would be to express an\nopinion on specified elements, accounts, or items. This report is intended to meet the objectives described\nabove and should not be used for other purposes.\n\nWe appreciate the opportunity to have worked with the FEC. Please call me if you have questions.\n\nVery truly yours,\n\nCOTTON & COMPANY LLP\n\n\n\n\nLoren F. Schwartz, CPA, CISA, CIPP\nPartner\n\x0c                                           CONTENTS\n\nSection \t                                                                                 Page\nExecutive Summary                                                                            1\n\nBackground                                                                                   4\n\n     Federal Election Commission                                                             4\n\n     Federal Privacy Framework                                                               6\n\nObjectives, Scope and Methodology                                                            8\n\nDetailed Findings and Recommendations                                                       10\n\n     1. \t A Comprehensive Inventory of Personally Identifiable Information Has Not Been     10\n\n          Documented\n\n     2. Safeguards Over Sensitive Personally Identifiable Information Need Improvement      12\n\n     3. Privacy Policies and Procedures Have Not Been Approved and Implemented              14\n\n     4. Privacy Roles and Responsibilities Are Not Adequately Documented \t                  15\n\n     5. Privacy Training Has Not Been Provided to FEC Employees and Contractors             17\n\n     6. Privacy Impact Assessments Have Not Been Conducted \t                                19\n\n     7. Personnel Have Not Complied with FEC Computer Security Policy\t                      21\n\n\nAttachments\n1 Management\xe2\x80\x99s Response to Draft Report                                                     22\n\n2 Status of Prior-Year Privacy Findings and Recommendations                                 28\n\n3 Definitions                                                                               31\n\n\x0c                                                  2007 \n\n                                         PERFORMANCE AUDIT OF \n\n                                      PRIVACY AND DATA PROTECTION\n\n\n                                     FEDERAL ELECTION COMMISSION\n\n\nThe Office of Inspector General (OIG) of the Federal Election Commission (FEC) contracted with Cotton\n& Company LLP to conduct a performance audit of privacy and data protection policies and procedures\nand, specifically, to determine if the FEC is complying with section 522 of the Consolidated\nAppropriations Act, 20051 (hereafter referred to as Section 522). This report is organized into the\nfollowing sections:\n\n         \xe2\x80\xa2        Executive Summary\n         \xe2\x80\xa2        Background\n         \xe2\x80\xa2        Objectives, Scope and Methodology\n         \xe2\x80\xa2        Detailed Findings and Recommendations\n\nEXECUTIVE SUMMARY\n\nSection 522 requires certain agencies to assign a Chief Privacy Officer (CPO) who is responsible for\nidentifying and safeguarding personally identifiable information (PII)2. Section 522 also requires an\nindependent third-party review of agency use of PII and of its privacy and data protection policies and\nprocedures at least every two years. This audit satisfies the required third-party review.\n\nWe provided a draft of this report to the FEC for comment. In addition, we met with FEC officials to\ndiscuss report findings and recommendations. The FEC\xe2\x80\x99s response is included as Attachment 1 to this\nreport.\n\nThe FEC has made progress in addressing previously identified privacy weaknesses. Of the thirteen\nprior-year recommendations in the OIG\xe2\x80\x99s 2006 Inspection Report on Personally Identifiable Information,\nseven were closed as of our report date. The status of specific prior-year findings and recommendations\nis summarized in Attachment 2.\n\nOur audit of the FEC\xe2\x80\x99s information privacy practices determined that, while progress has been made,\nsignificant additional work is still necessary to ensure that controls around PII in both paper and\nelectronic form are implemented. Our findings and recommendations are summarized on the following\npage.\n\n\n\n\n1\n  42 U.S.C.A. \xc2\xa7 2000ee-2. \n\n2\n  See Attachment 3 for a definition of personally identifiable information (PII) and other terminology contained in\n\nthis report. \n\n                                                        1\n\n\x0cFindings                                                  Recommendations\n\n1.    A Comprehensive Inventory of Personally             We recommend that the Chief Privacy Officer:\n      Identifiable Information Has Not Been               1a. Conduct a comprehensive review to identify and document all PII collected,\n      Documented                                              processed, and stored within the FEC.\n                                                          1b. Develop, document, and implement procedures for periodically updating\n                                                              the FEC\xe2\x80\x99s inventory of PII.\n\n\n2.    Safeguards Over Sensitive Personally Identifiable   We recommend that the Chief Privacy Officer:\n      Information Need Improvement                        2a. Develop and implement a comprehensive data management framework to\n                                                              ensure that sensitive PII in both hard copy and electronic format is\n                                                              adequately identified (including its location within the FEC), secured, and\n                                                              properly disposed of when no longer needed.\n                                                          2b. Develop a policy and procedures to ensure that the FEC\xe2\x80\x99s PII maintained or\n                                                              processed by third parties is adequately protected from unauthorized use or\n                                                              disclosure.\n\n\n3.    Privacy Policies and Procedures Have Not Been       3.   We recommend that the Chief Information Officer finalize, approve, and\n      Approved and Implemented                                 fully implement privacy policies, procedures, and directives in accordance\n                                                               with federal laws and regulations.\n\n\n4.    Privacy Roles and Responsibilities Are Not          We recommend that the FEC:\n      Adequately Documented                               4a. Consider identifying one individual (position), such as the FEC Staff\n                                                              Director, as Chief Privacy Officer.\n                                                          4b. Assign privacy roles and responsibilities to specific positions. In the event\n                                                              that the FEC continues with shared CPO and SAOP responsibilities, clearly\n                                                              delineate roles and responsibilities among individuals sharing these\n                                                              positions.\n                                                          4c. Identify, document, and assign roles and responsibilities for monitoring\n                                                              compliance with federal and FEC privacy requirements.\n\n\n5.    Privacy Training Has Not Been Provided to FEC       5.   We recommend that the Chief Privacy Officer develop and implement\n      Employees and Contractors                                privacy training for all FEC employees and contractors to ensure that\n                                                               personnel understand their privacy roles and responsibilities.\n\n\n6.    Privacy Impact Assessments Have Not Been            We recommend that the FEC:\n      Conducted                                           6a. Identify and implement a governance framework to ensure that controls\n                                                              within the FEC are appropriately identified, documented, and implemented.\n\n                                                          We recommend that the Chief Privacy Officer:\n                                                          6b. Conduct privacy impact assessments in accordance with Section 522.\n                                                          6c. Comply with OMB memorandums or, in the event of statutory exemption,\n                                                              document that sufficient controls exist to mitigate the need to comply.\n                                                              Where compliance is not adopted as the result of resource constraints,\n                                                              document the legal assessment, risk analysis, and cost-benefit to the FEC.\n\n\n7.    Personnel Have Not Complied with the FEC            7.   We recommend that the Chief Information Officer take necessary steps to\n      Computer Security Policy                                 ensure user compliance with FEC IT security policies and procedures.\n\n\n\n\n                                                                2\n\n\x0cThe conditions represented by these findings appear to result from two primary causes:\n\n        \xe2\x80\xa2       Lack of ownership over privacy within the FEC.\n        \xe2\x80\xa2       Lack of an overall risk-based compliance and governance framework at the FEC.\n\nFirst, without a single point of privacy ownership, there appears to be little urgency or accountability for\nmoving forward with strong privacy practices. FEC privacy is co-owned by two individuals, and it is\nunclear who is responsible for specific management actions related to privacy. Best practice would assign\na single member of management as owner for privacy and have that owner rely on other resources, as\nneeded, to assist in legal or information technology matters.\n\nOffice of Management and Budget (OMB) Memorandum M-05-08, Designation of Senior Agency\nOfficials for Privacy, states the following:\n\n        In furtherance of the Administration\xe2\x80\x99s commitment to protecting information privacy, OMB is\n        today asking each executive Department and agency (\xe2\x80\x9cagency\xe2\x80\x9d) to identify to OMB the senior\n        official who has the overall agency-wide responsibility for information privacy issues. Consistent\n        with the Paperwork Reduction Act, the agency\xe2\x80\x99s Chief Information Officer (CIO) may perform\n        this role. Alternatively, if the CIO, for some reason, is not designated, the agency may have\n        designated another senior official (at the Assistant Secretary or equivalent level) with agency-\n        wide responsibility for information privacy issues. In any case, the senior agency official should\n        have authority within the agency to consider information privacy policy issues at a national and\n        agency-wide level.\n\n        The senior agency official will have overall responsibility and accountability for ensuring\n        the agency\xe2\x80\x99s implementation of information privacy protections, including the agency\xe2\x80\x99s\n        full compliance with federal laws, regulations, and policies relating to information\n        privacy, such as the Privacy Act. As is required by the Privacy Act, the Federal\n        Information Security Management Act (FISMA), and other laws and policies, each\n        agency must take appropriate steps necessary to protect personal information from\n        unauthorized use, access, disclosure or sharing, and to protect associated information\n        systems from unauthorized access, modification, disruption or destruction. Agencies are\n        required to maintain appropriate documentation regarding their compliance with\n        information privacy laws, regulations, and policies. And, agencies have the authority to\n        conduct periodic reviews (e.g., as part of their annual FISMA reviews) to promptly\n        identify deficiencies, weaknesses, or risks. When compliance issues are identified,\n        agencies are obligated to take appropriate steps to remedy them.\n\nWhile OMB has suggested that the Chief Information Officer (CIO) may be designated as the Senior\nAgency Official for Privacy (SAOP), the FEC may be better served by having an individual in an\noperational senior management position (the FEC Staff Director for example) serving as the SAOP.\nThe Staff Director position would have knowledge of operational issues within the FEC to make better\nrisk-based decisions related to privacy and have authority to implement and enforce those decisions once\nthey are made.\n\nThe lack of a risk-based compliance and governance framework at the FEC appears to be the second\ncause underlying the seven findings listed above, and a contributing cause for other internal control\nweaknesses previously reported by the FEC\xe2\x80\x99s Inspector General3. The FEC\xe2\x80\x99s Office of General Counsel\n(OGC) opined in September 2004 on the FEC\xe2\x80\x99s exemption from several important federal laws,\nregulations, and standards related to management controls and procedures for information technology (IT)\n\n3\n Federal Election Commission Performance and Accountability Report, Fiscal Year 2004, Inspector General\nAssessment of Major Performance and Management Challenges, pages 111-115.\nhttp://www.fec.gov/pages/budget/fy2004/par_2004.pdf.\n                                                    3\n\n\x0csecurity. The basis for the exemption was primarily due to the FEC\xe2\x80\x99s exemption from the Paperwork\nReduction Act (PRA), an act generally unrelated to IT security. Most federal IT security laws and\nregulations, such as the Computer Security Act of 1987, as amended, derive their authority from the PRA\nor other laws from which the FEC is exempt.\n\nSpecifically, the FEC\xe2\x80\x99s OGC concluded that the FEC was exempt from the Computer Security Act of\n1987, a law that established minimum acceptable security practices for federal computer systems. In\naddition, the FEC was not required to follow Federal Information Processing Standards (FIPS) issued by\nthe National Institute of Standards and Technology (NIST). FIPS are standards and guidelines pertaining\nto federal computer requirements. Finally, the FEC was exempt from the Federal Information Security\nManagement Act (FISMA), a law followed by a majority of both small and large federal agencies and\ndepartments to provide information security for their operations and assets.\n\nFEC decisions on whether to adhere to IT and privacy security federal government guidelines often\nappear to be made based on legal interpretations of laws and OMB memorandums, rather than on sound\nrisk management. This is supported by evaluating the significant legal resources that management\nassigned to decision making compared with limited resources for risk management activities. A more\nspecific example is management\xe2\x80\x99s decision not to perform privacy impact assessments. This decision\nwas made based on an FEC OGC opinion that the FEC did not legally have to comply with this\nrequirement, rather than on sound risk management.\n\nRisk-based frameworks, such as those offered by the Committee of Sponsoring Organizations of the\nTreadway Commission (COSO, www.coso.org) and Control Objectives for Information and Related\nTechnology (CobiT, www.isaca.org), present common definitions of internal controls, standards, and\ncriteria against which companies and organizations can assess their control systems. Within the\nExecutive Branch of the federal government, NIST has developed a thorough compliance framework\nbased on risk.\n\nThe NIST framework encourages agencies to perform risk assessments and then make internal control\ndecisions based on those risk assessments. NIST guidance is scalable for agencies both larger and smaller\nthan the FEC. Adopting a framework, such as the one promulgated by NIST, would help to ensure that\nthe FEC is adhering to best practice standards and maintaining, at a minimum, the same level of internal\ncontrol as the Executive Branch of the federal government. Without a risk-based framework in place,\nmanagement\xe2\x80\x99s ability to identify and measure the effectiveness of the FEC\xe2\x80\x99s internal control structure\nbecomes more difficult.\n\nOther federally appropriated organizations that are exempt from FISMA and NIST guidelines have\nformally adopted these requirements as a matter of best practice to help ensure that sound internal\ncontrols are established and followed. In summary, the FEC\xe2\x80\x99s legal exemption from FISMA and NIST\nguidance does not preclude the agency from formally adopting a FISMA-NIST based framework as a\nmatter of best practice and good government.\n\nBACKGROUND\n\nFederal Election Commission\n\nThe FEC, an independent federal agency established by the Congress as a Commission, is responsible for\nadministering and enforcing the Federal Election Campaign Act (FECA), 2 USC \xc2\xa7 431. The FEC\nadministers and enforces FECA through the three core programs of disclosure, compliance, and public\nfinancing.\n\n\n\n\n                                                 4\n\n\x0c        \xe2\x80\xa2\t      Disclosure. Disclosure involves receiving reports of campaign finance transactions by\n                candidates and political committees involved in elections for federal office and\n                promulgating them as part of the public record.\n\n        \xe2\x80\xa2\t      Compliance. Compliance involves reviewing and assessing campaign finance\n                transactions to ensure that filers abide by appropriate FECA limitations, prohibitions, and\n                disclosure requirements. Compliance also involves oversight of individual contributors,\n                corporations, labor unions, and \xe2\x80\x9cissue\xe2\x80\x9d groups that, although they may not fit within the\n                universe of filers, can be involved in violations of FECA. The FEC has exclusive\n                jurisdiction over civil enforcement of FECA and engages in civil enforcement\n                proceedings to resolve instances of noncompliance.\n\n        \xe2\x80\xa2\t      Public Financing. Public financing is the system for financing Presidential primaries,\n                general elections, and national party conventions. Congress designed the program to\n                correct campaign finance abuses perceived in the 1972 Presidential electoral process.\n                The program combines public funding with limitations on contributions and\n                expenditures. The program has three parts: (1) matching funds for primary candidates,\n                (2) funds to sponsor political-party Presidential nominating conventions, and (3) funds\n                for the general election campaigns of major party nominees and partial funding for\n                qualified minor and new party candidates.\n\n                Based on statutory criteria, the FEC determines which candidates and committees are\n                eligible for public funds and funding amounts. The U.S. Treasury then makes the\n                necessary payments. The FEC audits all committees that received public funds to ensure\n                that committees used funds in accordance with the FECA, public funding statutes, and\n                FEC regulations. Based on the FEC\xe2\x80\x99s audit findings, Presidential committees may be\n                required to make repayments to the U.S. Treasury.\n\nThe FEC is headed by six commissioners appointed by the President and confirmed by the Senate.\nCommissioners serve six-year terms, and no more than three Commissioners may represent the same\npolitical party. By statute, the Commissioner chairmanship rotates every year, and the designated\nchairman has limited authority to set the agency\xe2\x80\x99s agenda.\n\nUnder the Commissioners, the FEC\xe2\x80\x99s organizational structure is separated into four primary offices:\n\n        \xe2\x80\xa2\t      Office of the Staff Director (OSD). OSD is headed by a statutory officer. Subordinate\n                organizations to the Staff Director are in most cases called \xe2\x80\x9coffices\xe2\x80\x9d for staff support\n                activities and \xe2\x80\x9cdivisions\xe2\x80\x9d for line activities involved in one or more of the three core\n                programs. Programmatic elements under OSD include the Disclosure Division,\n                Information Technology, Information Division, Press Office, Reports Analysis Division,\n                and Audit Division.\n\n        \xe2\x80\xa2\t      Office of the General Counsel (OGC). OGC is headed by a statutory officer.\n                Subordinate offices to OGC are titled Associate General Counsels, and each supports one\n                or more of the three core FEC programs.\n\n        \xe2\x80\xa2\t      Office of Inspector General (OIG). OIG is headed by a statutory officer, the Inspector\n                General, who reports directly to the Commission.\n\n        \xe2\x80\xa2\t      Chief Financial Officer (CFO). The Office of the CFO is headed by the CFO.\n                Subordinate offices include finance, procurement, and budget.\n\nThe FEC\xe2\x80\x99s privacy structure consists of a Privacy Officer, Co-Chief Privacy Officers (CPOs), and Co-\nSenior Agency Officials for Privacy (SAOP). The Privacy Officer position is held by the Associate\n                                                  5\n\n\x0cGeneral Counsel (GC) for General Law and Advice (GLA), while the CPO and SAOP positions are\nshared by the GC GLA and Chief Information Officer (CIO). Responsibilities for privacy are separated\ninto two areas, legal and technical; GC GLA handles legal issues, and the CIO handles technical issues.\n\nFederal Privacy Framework\n\nPrivacy in the federal government is rooted in passage of the Privacy Act of 1974. Congress enacted the\nPrivacy Act based on its understanding that:\n\n1.\t     The privacy of an individual is directly affected by collection, maintenance, use, and\n        dissemination of personal information by federal agencies.\n\n2.\t     The increasing use of computers and sophisticated information technology, while essential to\n        efficient government operations, has greatly magnified the harm to individual privacy that can\n        occur from any connection, maintenance, use, or dissemination of personal information.\n\n3.\t     Opportunities for any individual to secure employment, insurance, and credit have a right to due\n        process, and other legal protections are endangered by misuse of certain information systems.\n\n4.\t     The right to privacy is a personal and fundamental right protected by the Constitution of the\n        United States.\n\n5.\t     To protect the privacy of individuals identified in information systems maintained by federal\n        agencies, it is necessary for Congress to regulate collection, maintenance, use, and dissemination\n        of information by such agencies.\n\nThe purpose of the Privacy Act of 1974 is to provide certain safeguards for an individual against an\ninvasion of personal privacy by requiring federal agencies, except as otherwise provided by law, to:\n\n1.\t     Permit an individual to determine what records pertaining to him/her are collected, maintained,\n        used, or disseminated by such agencies.\n\n2.\t     Permit an individual to prevent records pertaining to him/her obtained by such agencies for a\n        particular purpose from being used or made available for another purpose without consent.\n\n3.\t     Permit an individual to gain access to information pertaining to him/her in federal agency records,\n        to have a copy made of all or any portion thereof, and to correct or amend such records.\n\n4.\t     Collect, maintain, use, or disseminate any record of identifiable personal information in a manner\n        that assures that such action is for a necessary and lawful purpose, that the information is current\n        and accurate for its intended use, and that adequate safeguards are provided to prevent misuse of\n        such information.\n\nSection 6 of the Privacy Act of 1974 directed OMB to develop guidelines for agencies to use in the Act\xe2\x80\x99s\nimplementation. Driven by the Privacy Act and recent high-profile incidents surrounding actual or\npotential privacy breaches or loss of sensitive PII, OMB has released a number of memorandums for\nagencies to follow in protecting PII, including:\n\n        \xe2\x80\xa2       OMB Circular A-130, Management of Federal Information Resources, Appendix I,\n                Federal Agency Responsibilities for Maintaining Records About Individuals\n\n        \xe2\x80\xa2\t      OMB Memorandum M-03-18, Implementation of E-Government Act of 2002\n\n\n                                                   6\n\n\x0c          \xe2\x80\xa2\t        OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions\n                    of the E-Government Act of 2002\n\n          \xe2\x80\xa2\t        OMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy\n\n          \xe2\x80\xa2\t        OMB Memorandum M-06-16, Protection of Sensitive Agency Information\n\n          \xe2\x80\xa2\t        OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable\n                    Information and Incorporating the Cost for Security in Agency Information Technology\n                    Investments\n\n          \xe2\x80\xa2\t        OMB Memorandum M-07-16, Safeguarding Against and Responding to Breach of\n                    Personally Identifiable Information\n\n          \xe2\x80\xa2\t        OMB Memorandum M-07-18, Ensuring New Acquisitions Include Common Security\n                    Configurations\n\n          \xe2\x80\xa2\t        OMB Memorandum M-07-19, Reporting Instructions for Federal Information Security\n                    Management Act and Agency Privacy Management\n\nIn addition to the Privacy Act and OMB memorandums, Congress passed and the President signed into\nlaw the Consolidated Appropriations Act, 2005 (Public Law 108-447), on December 8, 2004. Section\n522 of this Act mandates of certain agencies the designation of a senior privacy official, establishment of\nprivacy and data protection procedures, a written report by the agency on the use of information in an\nidentifiable form,4 independent third-party review of the agency\xe2\x80\x99s use of information in an identifiable\nform, and a report by the Inspector General to the agency head on the independent review and resulting\nrecommendations.\n\nSection 522 (d)(3) requires the Inspector General to contract with an independent third-party privacy\nprofessional to evaluate the agency\xe2\x80\x99s use of information in an identifiable form and privacy and data\nprotection procedures. The independent review is to include (a) an evaluation of the agency\xe2\x80\x99s use of\ninformation in identifiable form, (b) an evaluation of the agency\xe2\x80\x99s privacy and data protection procedures,\nand (c) recommendations on strategies and specific steps to improve privacy and data protection\nmanagement. Section 522 requires an independent third-party review at least every two years and\nrequires the Inspector General to submit a detailed report on the review to the agency head. The\nindependent third-party report and related Inspector General report are to be made available to the public\nthrough the internet.\n\nAdditional laws, regulations, and criteria released by Congress, OMB, and NIST related to privacy\ninclude:\n\n          \xe2\x80\xa2\t        The E-Government Act of 2002, Section 208, HR 2458\n\n          \xe2\x80\xa2\t        Federal Information Processing Standards Publication (FIPS PUB) 199, Standards for\n                    Security Categorization of Federal Information and Information Systems\n\n          \xe2\x80\xa2\t        FIPS PUB 200, Minimum Security Requirements for Federal Information and\n                    Information Systems\n\n\n\n4\n  Identifiable form is any representation of information that permits the identity of an individual to whom the information applies\nto be reasonably inferred by either direct or indirect means. Personally identifiable information (PII) has a similar meaning and\nwill be the term used throughout this document.\n                                                              7\n\n\x0c        \xe2\x80\xa2\t       NIST Special Publication (SP) 800-60, Volume I: Guide for Mapping Types of\n                 Information and Information Systems to Security Categories\n\n        \xe2\x80\xa2\t       NIST SP 800-60, Volume II: Guide for Mapping Types of Information and Information\n                 Systems to Security Categories\n\nOBJECTIVES, SCOPE AND METHODLOGY\n\nThe FEC\xe2\x80\x99s OIG contracted with Cotton & Company to conduct a performance audit of the agency\xe2\x80\x99s\nprivacy and data protection policies and procedures and compliance with Section 522. Specific audit\nobjectives were to:\n\n        \xe2\x80\xa2\t       Determine the FEC\xe2\x80\x99s compliance with privacy requirements outlined in Section 522.\n\n        \xe2\x80\xa2\t       Evaluate the FEC\xe2\x80\x99s use of information in identifiable form to ensure that the FEC\xe2\x80\x99s\n                 description of this use is accurate and accounts for the agency\xe2\x80\x99s current technology and\n                 its processing of information in an identifiable form.\n\n        \xe2\x80\xa2\t       Evaluate the FEC\xe2\x80\x99s protection procedures of information in identifiable form to ensure\n                 that all technologies used to collect, use, store, and disclose information in identifiable\n                 form allow for continuous auditing of compliance with stated privacy policies and\n                 practices governing collection, use, and distribution of information.\n\n        \xe2\x80\xa2\t       Recommend strategies and specific steps to improve privacy and data protection\n                 management.\n\n        \xe2\x80\xa2\t       Review the FEC\xe2\x80\x99s technology, practices, and procedures for collecting, using, sharing,\n                 disclosing, transferring, and maintaining security over information in identifiable form\n                 relating to agency employees and the public.\n\n        \xe2\x80\xa2\t       Review the FEC\xe2\x80\x99s stated privacy and data protection procedures for collecting, using,\n                 sharing, disclosing, transferring, and maintaining security over information in identifiable\n                 form relating to agency employees and the public.\n\n        \xe2\x80\xa2\t       Conduct a detailed analysis of the FEC\xe2\x80\x99s intranet, network, and websites for privacy\n                 vulnerabilities, including:\n\n                 \xe2\x80\xa2\t      Noncompliance with stated practices, procedures, and policies.\n\n                 \xe2\x80\xa2\t      Risks for inadvertent release of information in identifiable form from the\n                         agency\xe2\x80\x99s website.\n\nIn addition, because the FEC has determined that certain federal privacy laws and regulations do not\napply to the agency due to specific exemption under the Paperwork Reduction Act (E-Government Act of\n2002 and a number of OMB regulations), Cotton & Company reviewed the FEC\xe2\x80\x99s internal legal\nassessments of compliance requirements for privacy regulations, laws, and other federal guidance to\ndetermine if we agreed with the FEC\xe2\x80\x99s assessment of exemptions. Specific laws and regulations reviewed\nincluded:\n\n             \xe2\x80\xa2   Title V, Section 522 of the Consolidated Appropriations Act, 2005\n             \xe2\x80\xa2   Privacy Act of 1974, 5 USC \xc2\xa7 552a\n             \xe2\x80\xa2   OMB memorandums related to privacy\n             \xe2\x80\xa2   E-Government Act of 2002, H.R. 2458\n\n                                                    8\n\n\x0cThe audit included a detailed analysis of the FEC\xe2\x80\x99s intranet and websites for privacy vulnerabilities,\nincluding noncompliance with stated policies, practices, procedures, and risks for inadvertent release of\ninformation in an identifiable form from the FEC website. Finally, we conducted a follow-up review of\nfindings identified in the FEC OIG\xe2\x80\x99s 2006 Inspection Report on Personally Identifiable Information.\n\nDuring our audit, we noted that the FEC had not adopted a compliance framework for privacy. Therefore,\nCotton & Company chose a framework we consider to be a best practice with which to audit against. We\nbased our audit on federal best practices, including NIST Special Publications, FIPS, and OMB\nmemorandums and circulars.\n\nCotton & Company conducted the audit through the use of detailed interviews, questionnaires, and\nevaluations of FEC privacy and security policies, procedures, and directives. We conducted interviews to\nobtain an understanding of the types of information, including PII, handled by FEC personnel and to\ndetermine if management had identified and adequately protected sensitive PII. We interviewed key\npersonnel from senior management and staff from various offices including the Office of the CFO, Office\nof the CIO, and OGC.\n\nWe developed and administered a questionnaire to a subjective population of FEC employees inquiring\nabout their use of PII as part of daily work activities. Based on questionnaire responses, we followed up\nwith additional interviews or emails to obtain further clarification and information about employee use of\nPII. The follow-up interviews or emails were to determine specifically if: PII was being used, processed,\nstored, or handled by FEC personnel; what controls, if any, were in place over PII; and whether PII\nidentified was included in the FEC\xe2\x80\x99s system of records (SOR).\n\nIn addition, where sensitive PII was identified, we determined if management was aware that agency\npersonnel had access to sensitive PII and if the FEC implemented adequate controls over the PII.\n\nWe conducted our audit in accordance with Government Auditing Standards, as promulgated by the\nComptroller General of the United States for performance audits. We conducted this audit from\nSeptember to November 2007. We were not requested to, and we cannot, express an opinion as it relates\nto any financial information or information security controls related to the FEC.\n\nBased on audit results, Cotton & Company developed findings and recommendations for management,\nwhich are in the following section.\n\n\n\n\n                                                   9\n\n\x0cDETAILED FINDINGS AND RECOMMENDATIONS\n\nFinding 1: A Comprehensive Inventory of Personally Identifiable Information Has Not Been\nDocumented\n\nThe Chief Privacy Officer(s) have not developed and documented a comprehensive inventory of PII\ncollected, processed, and stored by the FEC. The FEC\xe2\x80\x99s efforts to date have primarily been aimed at\nidentifying PII or systems of record for inclusion in the SOR (required under the Privacy Act). The SOR\nidentifies only systems or PII that meet all of the following criteria:\n\n1.      Does the system contain PII?\n2.      Is the system operated by or for the FEC?\n3.      Is the information searchable by name or unique identifier?\n4.      Is the information accessed regularly?\n\nIn addition to being limited to the four criteria above, the FEC\xe2\x80\x99s SOR does not describe PII collected,\nprocessed, or stored in sufficient detail to meet requirements of a PII inventory. A PII inventory should\nidentify all PII and specifically document where the PII is being stored. The PII inventory description\nshould include not only the PII office location, but precisely identify the locked room or cabinet in which\nPII is stored.\n\nFinally, while the FEC\xe2\x80\x99s SOR does include general descriptions of how PII is being stored, such as in\nlocked filing cabinets, on protected computer networks, or located in locked rooms, these descriptions do\nnot identify which cabinets or rooms, and the descriptions were inaccurate in many cases, as shown by\nresults of our after-hours walkthrough (see Finding 2).\n\nSection 522 (a), Privacy Officer, states:\n\n        Each agency shall have a Chief Privacy Officer to assume primary responsibility for\n        privacy and data protection policy, including \xe2\x80\x93 (7) ensuring that the Department protects\n        information in an identifiable form and information systems from unauthorized access,\n        use, disclosure, disruption, modification, or destruction.\n\nOMB Memorandum M-07-16, Section B.1, Privacy Requirements - Review and Reduce the Volume of\nPersonally Identifiable Information, page 6, Review Current Holdings, states:\n\n        Agencies must now also review their current holdings of all personally identifiable\n        information and ensure, to the maximum extent practicable, such holdings are accurate,\n        relevant, timely, and complete, and reduce them to the minimum necessary for the proper\n        performance of a documented agency function.\n\nOMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy, page 1, states:\n\n        As is required by the Privacy Act, the Federal Information Security Management Act\n        (FISMA), and other laws and policies, each agency must take appropriate steps\n        necessary to protect personal information from unauthorized use, access, disclosure or\n        sharing, and to protect associated information systems from unauthorized access,\n        modification, disruption or destruction. Agencies are required to maintain appropriate\n        documentation regarding their compliance with information privacy laws, regulations,\n        and policies.\n\n\n\n\n                                                  10 \n\n\x0cFinally, the FEC\xe2\x80\x99s Privacy Protection Policies and Procedures (Draft), undated, Section VII, Security,\nstates:\n\n        The FEC shall provide security protection for all records that contain personal\n        information maintained in FEC\xe2\x80\x99s systems to ensure the accuracy, integrity and\n        confidentiality of the records. The FEC\xe2\x80\x99s security protections for systems that store\n        personal information shall include appropriate administrative, technical and physical\n        safeguards such as:\n\n        1.     Physical security of both hard copy and electronic data;\n        2.     Personnel security for employee and contractor access to data;\n        3.     Network security for data in transit; and\n        4.     Secure and timely destruction of records.\n\n        The security protection afforded each system shall be commensurate with the risk level\n        and magnitude of harm the FEC and/or the record subject would face in the event of a\n        security breach.\n\nBecause management has focused its resources on updating the SOR, which is required under the Privacy\nAct, 5 USC \xc2\xa7 552a, and has not focused on identifying all sensitive PII, regardless of whether it meets the\nfour criteria identified by the FEC, we noted a significant amount of unprotected sensitive PII during our\nafter-hours walkthrough. Without conducting a comprehensive review of all types of information\nreceived, processed, and stored by the FEC, management cannot ensure that all sensitive PII has been\nidentified and adequate controls implemented to protect sensitive PII from unauthorized use, disclosure,\nor destruction. In addition, the likelihood of fraudulent activities is greater.\n\nRecommendations\n\nWe recommend that the Chief Privacy Officer:\n\n        1a.\t      Conduct a comprehensive review to identify and document all personally identifiable\n                  information collected, processed, and stored within the FEC. This inventory should be\n                  detailed enough to identify the information format (hard copy vs. electronic) and\n                  specifically identify where the information is maintained (cabinets, offices, storage\n                  rooms, etc).\n\n        1b.\t      Develop, document, and implement procedures for periodically updating the FEC\xe2\x80\x99s\n                  inventory of PII.\n\nManagement Response\n\nManagement concurs with this finding and stated they are in the process of finalizing their Plan to\nReview and Reduce Holdings of Personally Identifiable Information and Eliminate Unnecessary Use of\nSocial Security Numbers. Prior to the development of this plan, the FEC distributed a survey to agency\ndivisions to determine which divisions collect and use Social Security Numbers, the rationale for\ncollection and use, necessity for this collection, and if alternate identifiers may be used. Initial survey\nresults provided useful information and will assist FEC management in implementing the above-\nmentioned plan.\n\nAuditor Response: We look forward to following up with this matter in the future to ensure\nmanagement\xe2\x80\x99s actions adequately address the weaknesses identified.\n\n\n\n                                                   11 \n\n\x0cFinding 2: Safeguards Over Sensitive Personally Identifiable Information Need Improvement\n\nControls were not adequate to ensure that sensitive PII collected, processed, or stored by the FEC has\nbeen adequately safeguarded. We performed an after-hours walkthrough and identified instances in\nwhich PII was easily accessible to unauthorized personnel. Specific examples include:\n\n        \xe2\x80\xa2\t      FEC employee timesheets, travel, and training records, including employee names, social\n                security numbers, and birth dates, were stored in unsecured common-area desks and\n                unlocked file cabinets.\n\n        \xe2\x80\xa2\t      Candidate records and FEC audit work papers, containing names, addresses, phone\n                numbers, canceled checks with bank account and routing numbers, and signatures were in\n                unsecured common-area desks and cubicles.\n\n        \xe2\x80\xa2\t      \xe2\x80\x9cMatter Under Review\xe2\x80\x9d (MUR) documentation, including banking information (checks\n                and copies of checks showing routing and account numbers) were in unsecured areas,\n                such as desks, unlocked common-area cabinets, and cardboard boxes in offices and\n                common areas.\n\n        \xe2\x80\xa2\t      Interoffice folders marked \xe2\x80\x9cconfidential\xe2\x80\x9d containing possible PII regarding employees\n                were in unsecured common-area mail slots and on common-area desks.\n\n        \xe2\x80\xa2\t      CDs labeled \xe2\x80\x9cconfidential\xe2\x80\x9d or marked with other information noting possible PII were in\n                unlocked offices on desks.\n\n        \xe2\x80\xa2\t      Outdated individual applications for FEC employment containing names, addresses,\n                phone numbers, and social security numbers were retained in an unsecured office\n                common area of a FEC program division.\n\nIn addition, the FEC has not adequately assessed controls over third-party systems housing FEC data for\neffectiveness. For example, the FEC has not performed a review to ensure that controls over the payroll\nsystem hosted by the National Finance Center (NFC) are in place and operating effectively.\n\nThe FEC\xe2\x80\x99s Privacy Protection Policies and Procedures (Draft), undated, Section VII, Security, states:\n\n        The FEC shall provide security protection for all records that contain personal\n        information maintained in FEC\xe2\x80\x99s systems to ensure the accuracy, integrity and\n        confidentiality of the records. The FEC\xe2\x80\x99s security protections for systems that store\n        personal information shall include appropriate administrative, technical and physical\n        safeguards such as:\n\n        1.   Physical security of both hard copy and electronic data;\n        2.   Personnel security for employee and contractor access to data;\n        3.   Network security for data in transit; and\n        4.   Secure and timely destruction of records.\n\n        The security protection afforded each system shall be commensurate with the risk level\n        and magnitude of harm the FEC and/or the record subject would face in the event of a\n        security breach.\n\n\n\n\n                                                  12 \n\n\x0cSection 522, (a)(7), states:\n\n        Each agency shall have a Chief Privacy Officer to assume primary responsibility for\n        privacy and data protection policy, including ensuring that the Department protects\n        information in an identifiable form and information systems from unauthorized access,\n        use, disclosure, disruption, modification, or destruction.\n\nOMB Memorandum M-05-08, page 1, states:\n\n        As is required by the Privacy Act, the Federal Information Security Management Act\n        (FISMA), and other laws and policies, each agency must take appropriate steps\n        necessary to protect personal information from unauthorized use, access, disclosure or\n        sharing, and to protect associated information systems from unauthorized access,\n        modification, disruption or destruction. Agencies are required to maintain appropriate\n        documentation regarding their compliance with information privacy laws, regulations,\n        and policies.\n\nThe FEC does not have a comprehensive framework in place for effectively identifying, documenting,\nand protecting PII in both electronic and hard copy form. In addition, the CPO has not taken appropriate\nsteps to identify where sensitive PII is used within the FEC and to ensure that business areas have\neffective policies, procedures, and practices in place to handle PII in their possession.\n\nSection 522, (a)(1), states:\n\n        Each agency shall have a Chief Privacy Officer to assume primary responsibility for\n        privacy and data protection policy, including assuring that the use of technologies\n        sustain, and do not erode, privacy protections relating to the use, collection, and\n        disclosure of information in an identifiable form.\n\nAlso, we concluded that FEC business areas (offices, divisions, and branches) have not clearly\ndocumented and implemented policies, procedures, and practices for handling the retention, storage, and\ndestruction of sensitive PII. While management has identified PII for inclusion in the SOR and has\nimplemented some high-level security controls (encryption and 2-factor authentication) over the FEC\xe2\x80\x99s\ncomputers, the CPO has not taken adequate steps to ensure that sensitive PII in both hard copy and\nelectronic form within the FEC has been identified and adequately protected.\n\nWithout a comprehensive framework in place that ensures that sensitive PII has been identified and is\nbeing adequately protected, the risk of unauthorized access to sensitive PII increases. Unauthorized\naccess to sensitive PII, such as social security numbers and banking information, could be used to commit\nidentify theft or other fraudulent activities.\n\nRecommendations\n\nWe recommend that the Chief Privacy Officer:\n\n        2a.\t     Develop and implement a comprehensive data management framework to ensure that\n                 sensitive PII in both hard copy and electronic format is adequately identified (including\n                 its location within the FEC), secured, and properly disposed of when no longer needed.\n\n        2b.\t     Develop a policy and procedures to ensure that FEC PII maintained or processed by third\n                 parties is adequately protected from unauthorized use or disclosure.\n\n\n\n                                                   13 \n\n\x0cManagement Response\n\nManagement concurs with this finding and stated that they are reexamining their privacy program to\nensure that policies, procedures, and guidelines to protect PII are at an acceptable level. In addition,\nrepresentatives stated that they will again remind FEC employees of the importance of protecting PII and\nimplement personalized training specific to the agency to assist each employee and contractor in\nunderstanding the critical importance of protecting PII.\n\nAuditor Response: We look forward to following up with this matter in the future to ensure\nmanagement\xe2\x80\x99s actions adequately address the weaknesses identified.\n\nFinding 3: Privacy Policies and Procedures Have Not Been Approved and Implemented\n\nThe FEC has not established and implemented comprehensive privacy and data protection policies and\nprocedures governing the agency\xe2\x80\x99s collection, use, sharing, disclosure, transfer, storage, and security of\ninformation in identifiable form in accordance with Section 522.\n\nThe FEC\xe2\x80\x99s timeframe for complying with Section 522 requirements was delayed, in part, due to its effort\nto determine if the agency was subject to the Act. Management filed a privacy report with the OIG in\ncompliance with Section 522 in February 2007. As of the completion of our audit, management was still\nin the process of developing draft policies, procedures, and directives, which, when finalized, must\nundergo Commission approval before being implemented.\n\nThe following privacy policies, procedures, and directives were in draft stage during our testing period:\n\n        \xe2\x80\xa2\t       Privacy Protection Policies and Procedures\n\n        \xe2\x80\xa2\t       FEC Plan to Review and Reduce Holdings of Personally Identifiable Information and\n                 Eliminate Unnecessary Use of Social Security Numbers\n\n        \xe2\x80\xa2\t       Privacy Rules of Conduct\n\n        \xe2\x80\xa2\t       Designation of Chief Privacy Officer and Senior Agency Official for Privacy\n\n        \xe2\x80\xa2\t       Policy and Plan for Responding to Breaches of Personally Identifiable Information\n                 (finalized after audit testing period)\n\nSection 522, (b), Establishing Privacy and Data Protection Procedures and Policies, states:\n\n        In general.--Within 12 months of enactment of this Act, each agency shall establish and\n        implement comprehensive privacy and data protection procedures governing the\n        agency\'s collection, use, sharing, disclosure, transfer, storage and security of information\n        in an identifiable form relating to the agency employees and the public. Such procedures\n        shall be consistent with legal and regulatory guidance, including OMB regulations, the\n        Privacy Act of 1974, and section 208 of the E-Government Act of 2002.\n\nIn addition, Section 522 (1), In General, states:\n\n        Within 12 months of enactment of this Act, each agency shall establish and implement\n        comprehensive privacy and data protection procedures governing the agency\xe2\x80\x99s collection,\n        use, sharing, disclosure, transfer, storage, and security of information in identifiable\n        form relating to the agency employees and the public.\n\n\n                                                    14 \n\n\x0cThe FEC\xe2\x80\x99s Privacy Protection Policies and Procedures (Draft), undated, Section VII, Security, states:\n\n        The FEC shall provide security protection for all records that contain personal\n        information maintained in FEC\xe2\x80\x99s systems to ensure the accuracy, integrity and\n        confidentiality of the records. The FEC\xe2\x80\x99s security protections for systems that store\n        personal information shall include appropriate administrative, technical and physical\n        safeguards such as:\n\n        1.    Physical security of both hard copy and electronic data;\n        2.    Personnel security for employee and contractor access to data;\n        3.    Network security for data in transit; and\n        4.    Secure and timely destruction of records.\n\n        The security protection afforded each system shall be commensurate with the risk level\n        and magnitude of harm the FEC and/or the record subject would face in the event of a\n        security breach.\n\nWithout clearly documented privacy policies and procedures, management cannot ensure that is has\nadequate controls in place over the use and protection of sensitive PII. In addition, without documented\nprivacy policies and procedures to disseminate to the user community, management cannot ensure that\nemployees and contractors understand their responsibilities for collecting, using, sharing, disclosing,\ntransferring, storing, and securing sensitive PII.\n\nFor example, we noted an instance in which the FEC inadequately documented a recent security breach\nresponse. Management insufficiently documented its conclusion that a breach of sensitive PII did not\noccur. Specifically, the available documentation did not contain a clear description of the compensating\ncontrols that were in place to mitigate a potential release of sensitive PII. If the FEC\xe2\x80\x99s documented Policy\nand Plan for Responding to Breaches of Personally Identifiable Information had been in place at the time\nof the FEC\xe2\x80\x99s identification of the potential breach, and management had sufficiently completed an\nIdentity Theft Risk Analysis, more information would have been available for the OIG and others to reach\nthe same conclusion as management.\n\nRecommendation\n\n        3.\t      We recommend the Chief Information Officer finalize, approve, and implement privacy\n                 policies, procedures, and directives in accordance with federal laws and regulations.\n\nManagement Response\n\nManagement concurs with this finding and stated they are in the process of finalizing agency privacy\npolicies, procedures, and directives and expects to circulate final documents for Commission approval\nwithin the next 30 days.\n\nAuditor Response: We look forward to following up with this matter in the future to ensure\nmanagement\xe2\x80\x99s actions adequately address the weaknesses identified.\n\nFinding 4: Privacy Roles and Responsibilities Are Not Adequately Documented\n\nThe FEC\xe2\x80\x99s privacy roles and responsibilities have not been clearly documented and assigned in\naccordance with Section 522. CPO, PO, and SAOP roles and responsibilities have been documented in\ndraft privacy policies and directives, but these have not been finalized and implemented.\n\nIn addition, the CPO and SAOP positions are being shared by the GC GLA and the CIO, although\ndocumented roles and responsibilities for the CPO and SAOP have not been specifically assigned. In\n                                                 15 \n\n\x0caddition, while draft CPO roles and responsibilities do include responsibility for ensuring compliance\nwith laws and regulations, draft policies and directives do not identify how compliance will be monitored\nor identify specific privacy monitoring activities for each of the CPOs. Based on interviews with each\nCPO, it was unclear who is ultimately responsible for ensuring compliance with privacy policies and\nprocedures at the agency level.\n\nSection 522, (a), Privacy Officer, states:\n\n        Each agency shall have a Chief Privacy Officer to assume primary responsibility for\n        privacy and data protection policy, including \xe2\x80\x93\n\n        1.\t assuring that the use of technologies sustain and do not erode, privacy protections\n            relating to use, collection, and disclosure of information in an identifiable form;\n\n        2.\t assuring that technologies used to collect, use, store, and disclose information in\n            identifiable form allow for continuous auditing of compliance with stated privacy\n            policies and practices governing the collection, use and distribution of information in\n            the operation of the program;\n\n        3.\t assuring that personal information contained in Privacy Act systems of records is\n            handled in full compliance with fair information practices as defined in the Privacy\n            Act of 1974;\n\n        4.\t evaluating legislative and regulatory proposals involving collection, use, and\n            disclosure of personal information by the Federal Government;\n\n        5.\t conducting a privacy impact assessment of proposed rules of the Department on the\n            privacy of information in identifiable form, including the type of personally\n            identifiable information collected and the number of people affected;\n\n        6.\t preparing a report to Congress on an annual basis on activities of the Department\n            that affect privacy, including complaints of privacy violations, implementation of\n            section 552a of title 5, 11 United States Code, internal controls, and other relevant\n            matters;\n\n        7.\t ensuring that the Department protects information in an identifiable form and\n            information systems from unauthorized access, use, disclosure, disruption,\n            modification, or destruction;\n\n        8.\t training and educating employees on privacy and data protection policies to promote\n            awareness of and compliance with established privacy and data protection policies;\n            and\n\n        9.\t ensuring compliance with the Departments established privacy and data protection\n            policies.\n\nSection 522 (b), Establishing Privacy and Data Protection Procedures and Policies, states:\n\n        In general.--Within 12 months of enactment of this Act, each agency shall establish and\n        implement comprehensive privacy and data protection procedures governing the\n        agency\'s collection, use, sharing, disclosure, transfer, storage and security of information\n        in an identifiable form relating to the agency employees and the public. Such procedures\n        shall be consistent with legal and regulatory guidance, including OMB regulations, the\n        Privacy Act of 1974, and section 208 of the E-Government Act of 2002.\n                                                   16\n\x0cWithout clear assignment of privacy roles and responsibilities to specific individuals, management\xe2\x80\x99s\nability to hold individuals accountable to identify and protect PII is reduced. In addition, the lack of\nclearly defined responsibilities increases the risk that individuals will not take adequate measures to\nprotect sensitive PII, because they are unaware it is their responsibility or they believe it was being\nperformed by others.\n\nRecommendations\n\nWe recommend that the FEC:\n\n        4a.\t    Consider identifying one individual (position), such as the FEC Staff Director, as Chief\n                Privacy Officer.\n\n        4b.\t    Assign privacy roles and responsibilities to specific positions. In the event that the FEC\n                continues with shared CPO and SAOP responsibilities, clearly delineate roles and\n                responsibilities among individuals sharing these positions.\n\n        4c.\t    Identify, document, and assign roles and responsibilities for monitoring compliance with\n                federal and FEC privacy requirements.\n\nManagement Response\n\nManagement does not concur with this finding. The FEC has given careful consideration in assigning\nshared CPO and SAOP responsibility and believes that no one person at the FEC could effectively handle\nthis task. Management believes there are specific areas of expertise required on the legal side, as well as\nthe IT side, that lend themselves to share duties by staff that have expertise in these areas. To the extent\nthis finding is about the specificity of the assignment of other responsibilities in the draft document, the\nFEC will, of course, carefully consider the recommendations.\n\nAuditor Response: While management does not concur with our recommendation of assigning one\nChief Privacy Officer, we do want to reiterate our belief that the effective management of privacy within\nthe agency is best achieved when overall responsibility and accountability lies with one individual.\nProceeding with Co-CPOs and Co-SAOPs will inherently increase the risk of specific activities related to\nthe identification and protection of PII being inadequately addressed by management. With that being\nsaid, management should ensure privacy roles and responsibilities which do not easily fall under the legal\nor IT umbrella have been identified, documented in their privacy policies and clearly assigned to one of\nthe Co-CPOs. Our audit clearly showed that responsibility for protection of hard copy PII which does not\nfall under the legal or IT umbrella had not been identified and assigned to either of the CPOs, and as a\nresult, we found numerous instances where sensitive PII was unprotected and susceptible to theft.\n\nFinding 5: Privacy Training Has Not Been Provided to FEC Employees and Contractors\n\nThe FEC has not adequately trained employees on privacy policies and procedures to promote awareness\nof and compliance with established privacy policies. Management has not completed development and\ndelivery of privacy-specific training to FEC employees and contractors. The FEC has included limited\nprivacy information in its annual security awareness training; this information was not, however, provided\nin adequate detail to address all appropriate privacy-related issues.\n\n\n\n\n                                                   17 \n\n\x0cSection 522, (a)(8), Privacy Officer, states:\n\n        Each agency shall have a Chief Privacy Officer to assume primary responsibility for\n        privacy and data protection policy, including training and educating employees on\n        privacy and data protection policies to promote awareness of and compliance with\n        established privacy and data protection policies.\n\nIn addition, the FEC\xe2\x80\x99s Privacy Protection Policies and Procedures (Draft), Section IX, Training, states:\n\n        It is essential that all FEC employees and contractors who come in contact with\n        personally identifiable information and the systems that contain that information be\n        aware of statutory and regulatory privacy requirements and FEC privacy policies and\n        procedures. Training will be provided to all employees that come in contact with\n        personally identifiable information or develop, manage, or maintain information systems\n        that process and store personally identifiable information. Training will include the\n        following:\n\n        1.\t The purpose and scope of the Privacy Act;\n\n        2.\t FEC Privacy Protection Policies and Procedures, including 11 C.F.R. Part 1 and the\n            Breach Notification Policy and Plan;\n\n        3.\t Appropriate use and disclosure of records under the Privacy Act;\n\n        4.\t Security requirements for off-site computing;\n\n        5.\t Privacy Rules of Conduct, including the consequences for failure to follow the rules\n            and available corrective actions; and\n\n        6.\t The possible criminal and civil penalties for violating the Privacy Act.\n\nWhile management is in the process of developing privacy specific training to deliver to FEC employees\nand contractors, the current lack of training increases the risk of sensitive PII being handled\ninappropriately.\n\nIn addition, without effective privacy training in place, employees may be unaware of FEC privacy\npolicies and procedures, such as what constitutes sensitive PII, how to protect sensitive PII, and how to\nreport potential breaches of sensitive PII. For example, of 69 individuals who responded to our privacy\nquestionnaire, 30 (43 percent) did not recall receiving privacy training. Also, 41 respondents (59 percent)\nwere unable to identify the individuals who hold the CPO position. Specifically,\n\n        \xe2\x80\xa2\t       22 did not correctly identify either of the CPOs (32 percent)\n        \xe2\x80\xa2\t       19 correctly identified only one of the two CPOs (27 percent)\n\nRecommendation\n\n        5.\t      We recommend that the Chief Privacy Officer develop and implement privacy training\n                 for all FEC employees and contractors to ensure that personnel understand their privacy\n                 roles and responsibilities. Privacy training topics should include identifying and\n                 protecting sensitive PII, and responding or reporting potential breaches of sensitive PII.\n                 Finally, privacy training should address the various practices and business needs within\n                 the FEC.\n\n\n                                                   18 \n\n\x0cManagement Response\n\nManagement concurs with this finding. While they believe they have addressed protection of sensitive\nPII in security awareness training, issued guidelines for protecting PII, and followed up with emails and\nnewsletters, management concurs that room for improvement exists regarding educating staff and\ncontractors on their responsibilities for privacy. Management is developing a separate privacy education\ncourse outlining components necessary to ensure that all staff and contractors who have privacy\nresponsibilities and access to PII are aware of their roles and responsibilities related to privacy and the\nneed to protect PII during its entire lifecycle.\n\nAuditor Response: We look forward to following up with this matter in the future to ensure\nmanagement\xe2\x80\x99s actions adequately address the weaknesses identified.\n\nFinding 6: Privacy Impact Assessments Have Not Been Conducted\n\nThe FEC has not conducted privacy impact assessments in accordance with Section 522, Section (a)(5) as\nfollows:\n\n        Each agency shall have a Chief Privacy Officer to assume primary responsibility for\n        privacy and data protection policy, including conducting a privacy impact assessment of\n        proposed rules of the Department on the privacy of information in an identifiable form,\n        including the type of personally identifiable information collected and the number of\n        people affected.\n\nThe FEC conducted a legal review of this standard (privacy impact assessment) and concluded that this\nportion of the Consolidated Appropriations Act was grounded in FISMA, which the FEC has legally\ndetermined it is not required to follow.\n\nWhile we are not disagreeing with that legal interpretation, management has not adopted a framework of\ncompliance and governance related to privacy and information technology controls and instead is\nselective (generally based on legal decisions) with respect to which controls the FEC decides to\nimplement.\n\nFEC management has determined that since privacy impact assessments derive from the E-Government\nAct of 2002, (which the FEC is not subject to), it is not required to perform privacy impact assessments.\nWe agree with this legal opinion. However, it is evident from management\xe2\x80\x99s approach to determining\nwhat privacy controls to implement, that management is concerned more with what it is legally required\n(hence the significant legal input into decisions), rather than what is the best course of action to take\nbased on risk to the FEC.\n\nBefore determining if OMB-directed or -recommended activities are necessary to improve its privacy\npractices, the FEC\xe2\x80\x99s practice is to first assess whether the agency is legally required to comply by\nreviewing statutory authority under which the guidance is based. Where a decision is made that only\npartial compliance is required, we determined the legal assessments do not clearly define which activities\nwill and will not be undertaken. Further, where a legal opinion is reached that compliance is not required\n(based on an assessment that a requirement is grounded in FISMA or another law), the FEC does not\ndocument whether existing privacy practices and controls mitigate the need to formally adopt the OMB\nrequirements. Rather, the FEC relies on the legal opinion as to whether to direct resources toward those\nprivacy activities.\n\nThe FEC\xe2\x80\x99s legal assessments have determined that the agency is not legally required to comply with any\nof the eight OMB privacy-related memorandums released since 2005 in their entirety. The FEC has\ndecided, however, to adopt portions of six of the memorandums, either based on best practice or other\n\n                                                  19 \n\n\x0clegal requirements. Of the remaining two, the FEC has determined exemption from one, and a final\ndetermination on compliance with the other, as a best practice, has yet to be finalized.\n\nThe E-Government Act of 2002, OMB memorandums, and other portions of the Executive Branch\ncompliance framework are clear best practices in the government environment. While the FEC may be\ndirectly excluded from complying with FISMA and NIST guidance, other compliance frameworks exist\nthat would meet organizational needs. The Committee of Sponsoring Organizations of the Treadway\nCommission (COSO) model is a compliance and controls best practice framework in the corporate world.\nIn addition, the Control Objectives for Information and Related Technology (CobiT) is an information\ntechnology governance process and often supports the COSO model. Both are internationally recognized\nand accepted frameworks for governance and control. By failure to adopt a framework, management is\nnot able to make risk-based decisions regarding appropriate controls to implement.\n\nWithout a governance framework, management may be taking on more risk than it would otherwise want\nto accept or may be inefficient in the application of controls. Specifically, without a privacy impact\nassessment, the FEC cannot accurately assess where privacy-related risks exist. Sensitive PII may be\ncompromised by exploiting these unprotected risks.\n\nRecommendations\n\nWe recommend that the FEC:\n\n        6a.\t     Identify and implement a governance framework to ensure that controls within the FEC\n                 are appropriately identified, documented, and implemented.\n\n        6b.\t     Conduct privacy impact assessments in accordance with Section 522.\n\n        6c.\t     Comply with OMB memorandums or, in the event of statutory exemption, document that\n                 sufficient controls exist to mitigate the need to comply. Where compliance is not adopted\n                 due to resource constraints, document the legal assessment, risk analysis, and cost-benefit\n                 to the FEC.\n\nManagement Response\n\nManagement does not concur with this finding, stating that the recommendations in this finding will\nrequire careful consideration and may not ultimately be adopted precisely as set forth in the finding. In\naddition, management states that it does not perform privacy impact assessments due to limited\nresources, not based on legal opinion that the E-Government Act is not applicable to the FEC.\n\nAuditor Response: While management may be exempt from specific laws and regulations which outline\nsecurity best practices, we believe management\xe2\x80\x99s fiduciary responsibility is to ensure adequate controls are\nin place to protect the FEC\xe2\x80\x99s information and information systems confidentiality, integrity, and availability.\nA security framework does not distinguish between what types of data it is protecting, but rather guides\nmanagement in identifying, implementing, and monitoring the effectiveness of controls over information the\nagency determines to be important or sensitive. Examples of sensitive information can include not only\nprivacy data, such as social security numbers and banking information, but also agency or company trade\nsecrets and confidential business information. For this reason, we believe the best way to identify and\nprotect PII, which was the focus of our audit, is to have a comprehensive security management framework\nin place.\n\n\n\n\n                                                    20 \n\n\x0cFinding 7: Personnel Have Not Complied with FEC Computer Security Policy\n\nThe FEC\xe2\x80\x99s computer security policies were not being followed by FEC personnel. During an after-hours\nwalkthrough of the FEC building, we identified the following:\n\n        \xe2\x80\xa2\t       Employees left usernames and passwords written on notes within proximity to their\n                 computers.\n\n        \xe2\x80\xa2\t       Employees left USB 2-factor privacy encryption authentication tokens unsecured in their\n                 laptops.\n\nFederal Election Commission Rules of Behavior and Acceptable Use Standards for Federal Election\nCommission Information and Systems Resources, undated, Section 8.d, states:\n\n        Protect your password from disclosure. Specifically, do not post your password in your\n        area.\n\nSection 18 states:\n\n        Protect FEC computing resources from theft or loss; take particular care to protect any\n        portable devices and media entrusted to you, such as laptops, cell phones, palm-top\n        computers, disks, CDs, and other portable electronic storage media.\n\nThe FEC\xe2\x80\x99s Mobile Computing Security Policy Number 58-4.3, dated August 24, 2006, Section 2.a., states:\n\n        Portable computing devices and associated peripherals issued by the FEC should be\n        viewed as government property that must be adequately protected from theft.\n\nSection 522, (a)(1), states:\n\n        Each agency shall have a Chief Privacy Officer to assume primary responsibility for\n        privacy and data protection policy, including assuring that the use of technologies\n        sustain, and do not erode, privacy protections relating to the use, collection, and\n        disclosure of information in an identifiable form.\n\nPasswords left on desks and USB tokens left in laptop computers in unsecured offices increase the\nlikelihood that an individual with physical access may conduct unauthorized access of the laptop or other\nresources. As a result, unauthorized individuals may obtain sensitive PII and use the information for\nactivities such as identity theft or fraud.\n\nRecommendation\n\n        7.\t      We recommend that the Chief Information Officer take necessary steps to ensure that\n                 users are complying with FEC IT security policies and procedures.\n\nManagement Response\n\nManagement concurs with this finding and intends to address these physical security issues through an\nemail to be sent to all staff the week of November 26, strong emphasis on privacy training now under\ndevelopment and in continued information systems security training; and other means and methods to be\ndeveloped by the co-CPOs in conjunction with the FEC\xe2\x80\x99s physical security officer and other management\nofficials.\n\nAuditor Response: We look forward to following up with this matter in the future to ensure\nmanagement\xe2\x80\x99s actions adequately address the weaknesses identified.\n                                                 21 \n\n\x0c                                           ATTACHMENT 1 \n\n                                        MANAGEMENT RESPONSES\n\n\n                     Management Response to the Cotton & Company, LLP\n                        \xe2\x80\x9c2007 Report on Privacy and Data Protection\xe2\x80\x9d\n\n        We appreciate the opportunity to respond to the \xe2\x80\x9c2007 Report on Privacy and Data Protection,\xe2\x80\x9d\nconducted pursuant to section 522 of the Consolidated Appropriations Act, 2005. We consider privacy to\nbe a matter of great importance and have undertaken significant efforts to ensure compliance.\n\n         The FEC has always taken very seriously the need to protect the security and privacy of\ninformation in its possession. We are constantly aware that we possess sensitive information about\nindividuals\xe2\x80\x99 involvement in activities that lie at the heart of the First Amendment. Our statute commands\nus, for example, not to make public information concerning ongoing enforcement matters, and our record\nof complying with this mandate over the past three decades is excellent. In the area of information\nsystems security, we have taken many steps in the last four years to improve the security of sensitive and\nother electronic data, including 15 separate technical improvements such as two-factor authentication for\nemployee laptops, upgrades to the majority of our server network operating systems, and installation of\nintrusion detection software; more extensive, and automated, user training in information security; and a\ncontinuous monitoring program that tests nine critical aspects of security or security response either\nannually or biannually.\n\n         We recognize that in the Internet age, special attention has to be devoted to specific concerns\nrelated to the privacy of information about individuals \xe2\x80\x93 both for the First Amendment-related reasons\nwith which the Commission has always been concerned, and because of the potential for problems such\nas identity theft. We are at the beginning of our agency\xe2\x80\x99s privacy program, and we believe we have\nalready accomplished a good deal given the limitations on our budgetary and human resources that we\nface as a small agency of fewer than 400 employees. Specific examples of what we have done and plan to\ndo in the privacy areas are found in our responses to the specific audit findings.\n\n         We particularly welcome this audit, which we have always viewed as an opportunity to obtain a\nbaseline that will assist management in working with the IG and with other stakeholders to improve the\nagency\'s privacy and data protection management. The importance we attach to privacy issues is\nreflected in this fact: in the entry conference for this audit, in October 2007, we were informed that so far\nas IG staff could determine, fewer than 10 agencies at that time had undertaken and made public the\nresults of their section 522 audits. We believe that undergoing the audit process and publicizing its\nfindings at this early stage of our privacy efforts underscores, particularly in comparison with other\nagencies, the FEC\xe2\x80\x99s commitment to enhance privacy protections within the bounds of our statutory\nmandate and the resources available to us.\n\n         We read the audit\xe2\x80\x99s seven findings as identifying four immediate and concrete, as opposed to\nconceptual, issues to be tackled: the development of an inventory of personally identifiable information\n(PII); the physical security of hard copies and portable electronic media containing PII; the finalization of\nprivacy policies and procedures; and staff training. As of this writing, two of these issues should be\naddressed in very short order: all draft policies and procedures have now been forwarded to the\nCommission for its consideration, and privacy training for all employees is under development and\ncalendared for the first quarter of 2008. As for the other two issues, we have already sent a Commission-\nwide message reporting the results of the auditors\xe2\x80\x99 walkthrough and reminding employees of their\nobligations concerning the physical security of their work areas, and, as set forth in our response to\nFinding 1, we believe we have made a strong start towards the development of a PII inventory.\n\n\n                                                   22 \n\n\x0c         We also believe that the co-CPO structure described in the report, and differed with by the\nauditors, is in large part responsible for our making as much progress as we have \xe2\x80\x93 both for the expertise-\nrelated reasons described in our response to Finding 4, and for the simple reason that the involvement of\ntwo teams has made more people (though still very few) available to work on privacy-related tasks than\notherwise might have been available.\n\n       We look forward to giving careful consideration to all of the recommendations in the report, and\nimplementing many of them. Our specific responses to the audit\xe2\x80\x99s findings follow.\n\nFinding 1: A Comprehensive Inventory of Personally Identifiable Information Has Not Been\nDocumented\n\nManagement concur - Yes\n\nManagement Response: We believe that the process of completing the SORNs provided a very good\nstart to our PII inventory. In connection with that process, the FEC reviewed its holdings of agency\nrecords. The review revealed that the agency\'s most sensitive PII is covered by either a proposed FEC\nSORN or a government-wide SORN. In fact, the auditors have informed us that based on their survey of\na sample of agency employees about PII; it appeared that all of the agency\'s most sensitive PII was\ncovered by a SORN. Management knows with a fairly high degree of confidence which business units\nwithin the Commission collect and retain what kinds of PII and for what purposes. The PII identified\nduring the after hours walkthrough, noted in \xe2\x80\x9cEffect\xe2\x80\x9d above, is not as much related to the issue of having\nan inventory, but rather, related to the issue of security, training, and implementation. Also, in\ncompliance with OMB Memorandum 07-16 and additional implementation guidance from OMB staff, the\nFEC has already published, on the agency website, a schedule to periodically review agency holdings of\nPII. The PII review will cover all agency PII and not just the most sensitive agency PII contained in the\nSORNs. Moreover, the FEC is in the process of finalizing its Plan to Review and Reduce Holdings of\nPersonally Identifiable Information and Eliminate Unnecessary Use of Social Security Numbers. Prior to\nthe development of this plan, the FEC sent out a survey to agency divisions to determine which ones\ncollect and use social security numbers, the rationale for collection and use, whether the collection is\nnecessary, and whether alternate identifiers may be used. The initial survey results provided useful\ninformation and will assist us in implementing the above mentioned plan.\n\nWe anticipate that our efforts to inventory PII will also be assisted by the audit results, and by collateral\nbenefits from contractor support now underway to enable the Commission to prepare for compliance with\nelectronic discovery amendments to the Federal Rules of Civil Procedure.\n\nHowever, a truly comprehensive inventory of all PII retained within the Commission may require\ncontractor support when adequate financial resources become available.\n\nAuditor Response: We look forward to following up with this matter in the future to ensure\nmanagement\xe2\x80\x99s actions adequately address the weaknesses identified.\n\nFinding 2: Safeguards Over Sensitive Personally Identifiable Information Need Improvement\n\nManagement concur - Yes\n\nManagement Response: Although FEC Management believes it does have controls in place to\nsufficiently protect PII it concurs that there is always room for improvement. With this in mind, the FEC\nis reexamining its Privacy Program to ensure that its policies, procedures, and guidelines to protect PII are\nat an acceptable level. In addition to this reevaluation, Management will again remind FEC employees of\n\n\n                                                   23 \n\n\x0cthe importance of protecting PII, and implement personalized training specific to the agency to assist each\nemployee and contractor in understanding the critical importance of protecting PII.\n\nIn particular, we understand this Finding, and the results of the walkthrough, as raising a specific issue\nregarding the physical security of hard copy documents containing the most sensitive PII, as well as of\nelectronic documents stored on portable media. Management plans to address this issue through an email\nthat has already been sent to all staff about the walkthrough and its results; through particular emphasis in\nthe privacy training now under development; and through consultation with the Commission\'s\nAdministrative Officer, who is also the Commission\'s physical security officer, about other means and\nmethods.\n\nAs mentioned in response to Finding 1, we anticipate that our efforts to conduct a more comprehensive\ninventory of PII will be assisted by the receipt of the audit results and by collateral benefits from\ncontractor support now underway to enable the Commission to prepare for compliance with electronic\ndiscovery amendments to the Federal Rules of Civil Procedure. However, a truly comprehensive\ninventory of all PII retained within the Commission may require contractor support when adequate\nfinancial resources become available.\n\nAuditor Response: We look forward to following up with this matter in the future to ensure\nmanagement\xe2\x80\x99s actions adequately address the weaknesses identified.\n\nFinding 3: Privacy Policies and Procedures Have Not Been Approved and Implemented\n\nManagement concur - Yes\n\nManagement Response: We are in the process of finalizing agency privacy policies, procedures and\ndirectives. The final documents have been circulated for Commission approval.\n\nAuditor Response: We look forward to following up with this matter in the future to ensure\nmanagement\xe2\x80\x99s actions adequately address the weaknesses identified.\n\nFinding 4: Privacy Roles and Responsibilities Are Not Adequately Documented\n\nManagement concur - No\n\nManagement Response: The FEC has given careful consideration in making the decision to have Co-\nCPO\'s/SAOPs. We believe that no one person at the FEC could effectively handle this task. There are\nspecific areas of expertise required on the legal side as well as the IT area that lends itself to share duties\nby staff that has expertise in these areas. In other words, the synergy currently in place makes the sum of\nthe parts greater than the whole or just having one CPO/SAOP. The two skill sets provide for\ncomplimentary efforts that allows for collaboration of people with organizational and technical skills to\nget the job done. In fact, the partnership between the two positions (Associate General Counsel for\nGeneral Law and Advice and the Chief Information Officer) allows for the perfect balance of expertise to\nensure all aspects of privacy requirements are addressed.\n\nThe two individuals that hold these positions and their respective staff are working well together on\nprivacy matters; each office brings vital expertise to the task of privacy protection that the other does not\nhave; the structure is consistent with the organization of the agency itself, in which the General Counsel\nand Staff Director each report directly to the Commission; and in practical terms, designation of any\nofficial as a single Chief Privacy Officer/Senior Agency Official for Privacy will not remove from either\nOGC or ITD any of the privacy duties either office now performs. In essence this structure allows for\n\n\n                                                    24 \n\n\x0cmore people to be involved with shared ownership and accountability ensuring maximum effort is spent\nto address the critical tasks of protecting PII.\n\nObviously, some privacy duties will by their nature involve primarily legal issues, and those will be\nprincipally in the purview of the Associate General Counsel for General Law and Advice. Some will by\ntheir nature involve primarily issues of information technology or information systems security, and those\nwill be principally in the purview of the Chief Information Officer. We note that in our draft privacy\npolicy documents, duties regarding compliance with the Privacy Act of 1974 are assigned solely to the\n\xe2\x80\x9cFEC Privacy Officer,\xe2\x80\x9d a position distinct from the CPO or SAOP that will be held solely by the\nAssociate General Counsel for General Law and Advice. Certain other duties related to the acquisition\nand management of information technology and information resources, the development of a sound,\nsecure and integrated IT architecture, and promotion of effective and efficient design and operation of all\nmajor information resources management processes are specified in the draft as assigned solely to the\nChief Information Officer. To the extent this Finding is about the specificity of the assignment of other\nresponsibilities in the draft document, we will, of course, carefully consider the recommendations.\n\nAuditor Response: While management does not concur with our recommendation of assigning one\nChief Privacy Officer, we do want to reiterate our belief that the effective management of privacy within\nthe agency is best achieved when overall responsibility and accountability lies with one individual.\nProceeding with Co-CPOs and Co-SAOPs will inherently increase the risk of specific activities related to\nthe identification and protection of PII being inadequately addressed by management. With that being\nsaid, management should ensure privacy roles and responsibilities which do not easily fall under the legal\nor IT umbrella have been identified, documented in their privacy policies and clearly assigned to one of\nthe Co-CPOs. Our audit clearly showed that responsibility for protection of hard copy PII which does not\nfall under the legal or IT umbrella had not been identified and assigned to either of the CPOs and as a\nresult we found numerous instances where sensitive PII was unprotected and susceptible to theft.\n\nFinding 5: Privacy Training Has Not Been Provided to FEC Employees and Contractors\n\nManagement concur - Yes\n\nManagement Response: The FEC has addressed the protection of sensitive information (PII) in its very\nextensive training on information systems security; issued guidelines for protecting sensitive information;\nand followed up with emails and newsletters. Nevertheless, the FEC concurs that there is room for\nimprovement regarding educating staff and contractors on their responsibilities as it relates to privacy. To\nthis end, the FEC is developing a separate privacy education course outlining the components necessary\nto ensure that all staff and contractors who have privacy responsibilities and access to PII are aware of\ntheir roles and responsibilities related to privacy and the need to protect PII during its entire lifecycle.\nThis privacy education course not only incorporates strategies necessary to address the issues presented in\nthis Finding but also ensures that the FEC has a documented mechanism in place to address future\nchanges in the privacy landscape.\n\nAuditor Response: We look forward to following up with this matter in the future to ensure\nmanagement\xe2\x80\x99s actions adequately address the weaknesses identified.\n\nFinding 6: Privacy Impact Assessments Have Not Been Conducted\n\nManagement concur - No\n\nManagement Response: Management does not concur simply by way of underlining that the\nrecommendations in this Finding will require careful consideration, and may not ultimately be adopted\nprecisely as set forth in the Finding.\n\n                                                  25 \n\n\x0cThe audit has found that we have not conducted privacy impact assessments, and this is correct. Privacy\nimpact assessments are required by the E-Gov Act, from which the Commission is exempt. There is a\nsimilar requirement in Section 522 of the Consolidated Appropriations Act, 2005. As this particular\nportion of Section 522 appears to be largely duplicative of the E-Gov Act, the Commission has\ndetermined that it is also exempt from this provision of Section 522 (which otherwise generally applies to\nit). To conclude otherwise would be to defeat the purpose of the Commission\'s exemption from the E-\nGov Act.\n\nNevertheless, this legal conclusion -- with which the audit report explicitly does not disagree -- is not the\nreason we do not conduct privacy impact assessments. Our concern, instead, is one of resources.\nExamples of other agencies\' privacy impact assessments (PIA) that we have reviewed appear to be rather\nresource-intensive to produce. For instance, the Justice Department\'s instructions alone for completing\nPIAs run 21 single-spaced pages. We are a small agency, and do not have the resources to devote any\nemployees to privacy duties on a full-time basis. Currently, all employees assigned privacy duties\nperform them as collateral duties. We concluded that the opportunity costs of delay in non-privacy\nprojects on which staff would otherwise be working would outweigh whatever benefits we would receive\nfrom doing them. We will of course, however, carefully consider the recommendation regarding PIAs.\n\nFrom the specific criticism of failure to conduct PIAs, the Finding expands its conclusion to a broader\npoint, which is also addressed in the Executive Summary. As we understand it, the auditors recommend\nthat to the extent the Commission chooses not to follow National Institutes of Standards and Technology\nguidance issued pursuant to the Federal Information Security Management Act (from which the\nCommission is also exempt), it should adopt what the Finding refers to as a formal "governance\nframework." Under such a framework, again as we understand it, privacy decisions (at a minimum) or all\nmanagement decisions in the agency (ideally) would be assessed under, and be to some degree driven by,\na formal risk assessment process. As an example of such a process, the Finding refers specifically to the\n"COSO" model ("Committee of Sponsoring Organizations of the Treadway Commission,") which we are\ninformed is one such model adopted by many private sector entities in the wake of the Sarbanes-Oxley\nAct.\n\nThis is an area on which management will need to obtain more information. While we certainly\nunderstand the relevance of risk management concepts and processes to the potential danger of a loss of\nsensitive PII, we believe that recommendations about how the Commission assesses risk or makes\nmanagement decisions in general are certainly at the edge of this audit\'s scope, and will require careful\nand deliberate consideration by the Commission itself and the agency\'s most senior management prior to\nany decision to implement the recommendation here.\n\nIt should be noted that the FEC has taken an industry best practice approach and adopted a risk based\nInformation System Security Program. This risk based approach is outlined in 58A Information System\nSecurity Program Policy and specifically in 58-2.1 Risk Management Policy (both of which were\nprovided to the auditors). In concert with its risk based approach and in accordance with industry best\npractice the FEC has developed a comprehensive certification and accreditation process which provides\nsenior management with an accurate view of vulnerabilities and threats, risk evaluation and prioritization,\nrisk mitigation strategies and any associated residual risk. Evidence of our adherence to a risk-based\napproach is indicated by contracting with an unbiased third party to conduct a series of formal risk\nassessments. These risk assessments are currently ongoing. The information obtained from these risk\nassessments will be utilized to develop, modify and implement any new policies, procedures and\nstandards to improve the Commission\xe2\x80\x99s protection of all sensitive information, including PII. The FEC\xe2\x80\x99s\nrisk-based model is based upon standard industry best practices and facilitates a cost effective\nmethodology for senior management to evaluate security strategies to protect information commensurate\nwith the information\xe2\x80\x99s level of sensitivity.\n\n                                                   26 \n\n\x0cAdditionally, it should be noted that we have created and implemented 28 security policies and 14 security\nstandards which we believe demonstrates that the agency is truly following best practices. With the current\nstaffing and financial limitations we believe these safeguards provide an acceptable level of risk.\n\nAuditor Response: While management may be exempt from specific laws and regulations which outline\nsecurity best practices, we believe management\xe2\x80\x99s fiduciary responsibility is to ensure adequate controls are\nin place to protect the FEC\xe2\x80\x99s information and information systems confidentiality, integrity, and availability.\nA security framework does not distinguish between what types of data it is protecting but rather guides\nmanagement in identifying, implementing, and monitoring the effectiveness of controls over information the\nagency determines to be important or sensitive. Examples of sensitive information can include not only\nprivacy data, such as social security numbers and banking information, but also agency or company trade\nsecrets and confidential business information. For this reason, we believe the best way to identify and\nprotect PII, which was the focus of our audit, is to have a comprehensive security management framework\nin place.\n\nFinding 7: Personnel Are Not Complying with FEC Computer Security Policy\n\nManagement concur - Yes\n\nManagement Response: This Finding raises issues similar to those raised by Finding 2 in that both\ninvolve the physical security of work stations and common areas. As stated in response to that Finding,\nmanagement intends to address these physical security issues through an e-mail that has already been sent\nto all staff; through strong emphasis in the privacy training now under development and in continued\ninformation systems security training; and through other means and methods to be developed by the co-\nChief Privacy Officers in conjunction with the Commission\'s physical security officer and other\nmanagement officials.\n\nAuditor Response: We look forward to following up with this matter in the future to ensure\nmanagement\xe2\x80\x99s actions adequately address the weaknesses identified.\n\n\n\n\n                                                    27 \n\n\x0c                                               ATTACHMENT 2 \n\n                        STATUS OF PRIOR-YEAR PRIVACY FINDINGS AND RECOMMENDATIONS\n\n\nFinding                        Recommendation                              Status\nConfirm identification of      Perform a risk assessment to examine the    Open\npersonally identifiable        threats and vulnerabilities associated\ninformation protection needs   with remote access to Federal Election      Management will perform risk assessments\n                               Commission (Commission) resources           for major applications and the general\n                               and physical removal of PII.                support system (GSS) in the near future. An\n                                                                           examination of threats and vulnerabilities\n                                                                           associated with remote access to FEC\n                                                                           resources and physical removal of PII will\n                                                                           be included in the GSS risk assessment.\n                               Perform a complete inventory of             Closed\n                               Commission assets clearly identifying\n                               which employees have custody over           Management provided the audit team with a\n                               these assets with emphasis on removable     comprehensive inventory of all laptops and\n                               portable devices; the make, build and       Blackberry devices including whom it was\n                               configuration of these portable devices     issued to, model, serial, and barcode\n                               and which devices have been encrypted       numbers, and if the device is password\n                               and/or password-protected.                  protected, encrypted, and has 2-factor\n                                                                           authentication.\n                               Implement technical and/or policy           Open\n                               controls to prevent access to the\n                               Commission\'s resources for non-             Management is in the process of\n                               encrypted laptops either locally or         implementing a network access control\n                               remotely.                                   device that will deny or restrict access to the\n                                                                           FEC\xe2\x80\x99s network for devices not in\n                                                                           compliance with the FEC\xe2\x80\x99s policies and\n                                                                           minimum settings. This device will not,\n                                                                           however, be implemented until calendar\n                                                                           year 2008.\n                               Implement password protection for           Closed\n                               personal digital assistants (PDAs) that\n                               have access to Commission email and\n                               other sources of sensitive information.\nVerify adequacy of             Update the Mobile Computing Security        Open\norganizational policy          Policy to more accurately reflect which\n                               systems will be encrypted and which         Management did not change the Mobile\n                               ones will be password protected in order    Computing Security Policy to clarify which\n                               to remove any ambiguities in the policy.    systems will be password protected and\n                               Management should incorporate explicit      which will be encrypted. The policy states\n                               rules for determining if remote access is   that \xe2\x80\x9call mobile computing devices\n                               allowed, user training and accountability   including Blackberries and Palm Pilots must\n                               measures in place to ensure that remote     be encrypted and/or password protected.\xe2\x80\x9d\n                               use of PII does not result in bypassing     The FEC stated that laptops must be\n                               management controls.                        encrypted and password protected while\n                                                                           other devices, such as Blackberries and\n                                                                           Palm Pilots, only need to be password\n                                                                           protected. This is still, however, unclear in\n                                                                           the policy.\n                                                        28 \n\n\x0cFinding                       Recommendation                              Status\nImplement protection for      Implement a review process to ensure        Closed\npersonally identifiable       FEC users have effectively downloaded\ninformation being             and installed the encryption software and\ntransported and/or stored     measures are in place to prevent possible\noffsite                       circumvention of these safety\n                              precautions.\n                              Test and document results of all pre-       Closed\n                              deployment testing performed by the\n                              Information Technology Division to\n                              ensure the selected encryption software\n                              is compatible for FEC use.\nImplement protections for     Complete the implementation of the USB      Closed\nremote access to personally   two-factor authentication devices.\nidentifiable information\n\n\n                              Update Commission mobile computing          Open\n                              security policies to include procedures\n                              for downloading and remote storage of       Management did not change the Mobile\n                              data.                                       Computing Security Policy to include\n                                                                          procedures for downloading and remote\n                                                                          storage of data. Users are periodically\n                                                                          reminded to save files to the network\n                                                                          through emails and newsletters. The policy\n                                                                          has not, however, changed.\nAdditional Agency             Implement encryption technology on          Closed\nRequirements                  identified portable devices.\n                                                                          Encryption technology has been installed on\n                                                                          FEC laptops. Management provided the\n                                                                          audit team with a comprehensive inventory\n                                                                          of all laptops and Blackberry devices\n                                                                          including whom it was issued to, model,\n                                                                          serial, and barcode numbers, and if the\n                                                                          device is password protected, encrypted,\n                                                                          and has 2-factor authentication. We noted\n                                                                          that there are several Apple laptops in use\n                                                                          which do not have PGP encryption\n                                                                          installed. However, the FEC stated that \xe2\x80\x9cno\n                                                                          sensitive data is saved or accessed on the\n                                                                          Apple laptops.\xe2\x80\x9d Further, FEC also stated\n                                                                          that \xe2\x80\x9cApple users were not issued property\n                                                                          passes,\xe2\x80\x9d thereby restricting removal of the\n                                                                          laptops from the FEC premises. OMB\n                                                                          Memorandum M-06-16 allows this written\n                                                                          permission. We verbally informed\n                                                                          management that this approval should be in\n                                                                          writing.\n                              Implement password protection on            Closed\n                              peripheral portable devices (Palm Pilots,\n                              Blackberries, etc)\n\n\n                                                       29 \n\n\x0cFinding   Recommendation                              Status\n          Implemented a timeout feature for           Open\n          laptops/desktops which will timeout after\n          30 minutes of inactivity. [No timeout       We reviewed the Blackberry server settings\n          feature is in place for other peripheral    and noted that the timeout is set at 60\n          devices.]                                   minutes instead of 30 minutes. In addition,\n                                                      users have the ability to change the timeout\n                                                      setting.\n          Log all computer-readable data extracts,    Open\n          as comprehensive implementation of\n          encryption on all portable computers will   Management considers logging all computer\n          ensure PII is adequately protected          readable data extracts as neither feasible nor\n                                                      reasonable and therefore does not intend to\n                                                      complete this recommendation.\n\n\n\n\n                                   30 \n\n\x0c                                             ATTACHMENT 3\n                                              DEFINITIONS\n\nIndividual: A citizen of the United States or an alien lawfully admitted for permanent residence.\n\nInformation in Identifiable Form: Information in an IT system or online collection (a) that directly identifies an\nindividual (name, address, social security number or other identifying number or code, telephone number, email\naddress, etc.) or (b) by which an agency intends to identify specific individuals in conjunction with other data\nelements (indirect identification). These data elements may include a combination of gender, race, birth date,\ngeographic indicator, and other descriptors.\n\nPersonally Identifiable Information (PII): Any piece of information that can potentially be used to uniquely\nidentify, contact, or locate a single person. Information such as social security numbers and banking information\nare generally considered sensitive.\n\nPrivacy Impact Assessment (PIA): Analysis of how information is handled (a) to ensure that handling conforms\nto applicable legal, regulatory, and policy requirements regarding privacy, (b) to determine risks and effects of\ncollecting, maintaining, and disseminating information in identifiable form in an electronic information system,\nand (3) to examine and evaluate protections and alternative processes for handling information to mitigate\npotential privacy risks.\n\nPrivacy Policy in Standardized Machine-Readable Format: A statement about site privacy practices written\nin a standard computer language (not English text) that can be read automatically by a web browser.\n\nSystem of Records (SOR): A group of any records under the control of any agency from which information is\nretrieved by the name of the individual or by some identifying number, symbol, or other identifying particular\nassigned to the individual.\n\nSystem of Records Notice (SORN): A group of any records under the control of any agency from which\ninformation is retrieved by the name of the individual or by some identifying number, symbol, or other identifying\nparticular assigned to the individual that is required to be published in the federal register in accordance with the\n1974 Privacy Act.\n\n\n\n\n                                                  31 \n\n\x0c'